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r^I Abstract 

Qh In this paper we present an assume-guarantee specification theory (aka in- 

■*^ terface theory from p3]) for modular synthesis and verification of real-time 

0^ systems with critical timing constraints. It is a further step of our earlier 

^^ work [To] which achieved an elegant algebraic specification theory for real- 

time systems endowed with the capability to freeze time. In this paper we 
relinquish such (unrealisable) capability and target more realistic systems 
without the ability to stop time. 

In comparison with related works [TH [H] , we build our theory on a sur- 
'""' prisingly simple framework of timed I/O automata enhanced with invariant/ co- 

T-H invariant distinction, which, nevertheless, suffices to specify the timed as- 

^ sumption and guarantee of a component w.r.t. both safety and bounded- 

Q^ liveness requirements. When two specifications are parallel composed, the 

J£2 guarantee in one specification will be matched against the assumption in the 

• other. Any mismatch gives rise to an occurrence of incompatibility error. 

(^ Our theory, in a combined process-algebraic and reactive- synthesis style, 

CO provides the operations of parallel composition for system integration, logical 

conjunction/disjunction for viewpoint fusion and independent development, 
and quotient for incremental synthesis. 
/\ We show that a substitutive refinement preorder, which is a coarsening of 

C^ the pre- congruence in [10] , constitutes the weakest pre- congruence preserving 

freedom of incompatibility errors. The coarsening requires a shift in the focus 
of our theory to a more game-theoretical treatment, where the coarsening 
constitutes a reactive synthesis game named normalisation and is efficiently 
implementable by a novel local -L-backpropagation algorithm. 

Previously, timed concurrent games have been studied in [H |ll[ ITS] , 
where one of the key concern is the removal of time-blocking strategies by 
applying blame assignment [T3|. Our timed games also have the issue of 
time-blocking strategies, which may arise through the composition of spec- 
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ifications. However, due to our distinctively different formulation of timed 
games, we have found another elegant solution to the problem without blame 
assignment. Our solution utilises a second reactive synthesis game called re- 
alisation, which is dual to normalisation and implementable by the dual local 
T -backpropagation algorithm. 

Based on the timed game formulation and as a further step to previous 
works, we also study the composition of synthesis games under different op- 
erators, e.g. the distributivity of realisation over conjunction, which arises 
through the composition of specifications, and which can also be usefully 
exploited as a theoretical foundation for the compositional synthesis [1^] of 
timed processes. 

Utilising such knowledge, we achieve the complete operational definition 
to all the composition operators (on specifications) and prove the weakest 
congruence result by applying the timed strategies semantics on the set of 
operators. 

Keywords: timed automata, timed interfaces, specification theory, 
assume/guarantee verification, reactive/controller synthesis, weakest 
congruence, substitutive refinement, conjunction, quotient 

1. Introduction 

Modular synthesis and verification of quantitative aspects (e.g. real- 
time, probability, reward, etc.) of computational and physical processes 
(e.g. cyber-physical systems) is an important research topic. For instance, 
|3] gives a general discussion and motivation of the modular approach to 
quantitative system design. In this programme of quantitative study, a spec- 
ification of components consists of a combination of quantitative assumption 
and quantitative guarantee. One of the crucial criteria for the success of 
such a programme lies in a unified core theory, to which only minimal and 
additive extensions are required for addressing the different aspects, so that 
the amalgamation of the extensions does not entail overwhelming technical 
complications. 

As one step of the programme, this paper targets component-based devel- 
opment for real-time systems with critical timing constraints, such as embed- 
ded system components, the middleware layer and asynchronous hardware. 
We propose a complete timed specification theory using a framework of min- 
imal extension of timed automata. 



The framework provides the operations of parallel composition for ex- 
amining the structural behaviour of systems, logical conjunction/disjunction 
for viewpoint fusion and independent development, as well as quotient for 
incremental synthesis. 

The refinement relation is defined relative to the notion of incompatibility 
error. That is, parallel composition incurs the matching up of the assumption 
and guarantee from different components. Any AG mismatch generates an 
incompatibility error (denoted by _L) in the composed system. Refinement 
thus means error-free substitutivity: there is no context in which replacing a 
component by a refinement will introduce further incompatibility errorj^ 

Previously, based on the framework, [TU] introduced a compositional 
linear-time specification theory for real-time systems, where the substitutive 
refinement is the weakest pre-congruence preserving incompatibility errors 
(for the four operations), and characterisable by a finite trace semantics. A 
key novelty of [10] lies in the introduction of an explicit timestop operation 
(denoted by T) that halts the progress of the system clock. 

Equipped with timestop, an environment of [lO] 1) can tell two compo- 
nents apart by observing not only the occurrence of incompatibility errors 
but also the timing difference in such occurrences, and 2) can steer any com- 
ponent away from incompatibility errors no matter how error-prone it is. 
Thus, it gives rise to a finest congruence over a set of fully defined operators 
(esp. conjunction and quotient) as well as a greatly simplified theory. 

While timestop is appropriate for a restricted class of applications, such 
as embedded systems and circuit design |20j , there are cases where the oper- 
ation of stopping the system clock is neither meaningful nor implementable. 
Similar observations have also been made in the works on concurrent timed 
games [H [HI [T3] , where there is no explicit timestop operation but the use 
of implicit timestop by time-blocking strategies is considered unrealistic for 
winning games. Thus, it is desirable to consider systems without explicit or 
implicit timestops, which we call realisable systems. 

For realisable systems, components, not substitutively-equivalent accord- 
ing to [TD], can become equivalent under realisability. This is a consequence 
of the environment losing the power to observe the timing difference in error 



^Note that the existence of incompatibility errors does not mean that the composed 
system is un-usable; an environment can stih usefully exploit the system by only exercising 
the parts of its behaviours insulated from the incompatibility errors, as has been well 
explained in |14j . 



occurrences (see the example in Figure [6]). Thus, we need a new substitutive 
refinement preorder, which is a coarsening of the pre-congruence in |10j . 

To best characterise the coarsening, our theory needs a shift in focus to a 
more game-theoretical treatmentQ where the coarsening constitutes a reac- 
tive synthesis game called normalisation, and is efficiently implementable by 
a novel local J^-backpropagation algorithm which repeatedly removes incom- 
patibility errors from a system. The -L-backpropagation algorithm is strictly 
more aggressive (i.e. classifying more states as winning states) than the clas- 
sical timed reactive synthesis algorithms [H [7] and is crucial for our weakest 
congruence results. 

Furthermore, similar to timed concurrent games [HI [13], where one of 
the key concern is the removal of time-blocking strategies by applying blame 
assignment, it is also crucial in our framework to remove timestopping be- 
haviours since specification composition (e.g. conjunction and quotient) may 
generate new unrealisable behaviours. However, unlike [131 [13]. our frame- 
work does not use blame assignment to remove unrealisable behaviours. 
Rather, we have found a different elegant solution based on a dual reac- 
tive synthesis game to normalisation called realisation, largely thanks to our 
different formulation of timed games. Realisation can be efficiently imple- 
mented by the dual T -backpropagation algorithm. 

Furthermore, unlike previous works on timed concurrent games [H [TH 
[131 n\ [H], which mostly concentrating on studying a single game, our work 
also studies the composition of games under different operators. That is, each 
specification is embedded with a pair of synthesis games. When specifications 
are composed, we need to understand how the synthesis games interact or 
interfere with one another across specification boundary and how should we 
define the composition of such games correctly. This will form a basis for 
both the compositional synthesis of timed processes and the full operational 
definition of specification composition operators. 

Finally, some further contributions of our theory lie in 1) the process- 
algebraic techniques of deriving process composition operation from state 
composition operation via state-to-process lifting, enabling the transfer of 
algebraic properties from the state composition level to the process composi- 



^In contrast, our early work [10] is based predominantly on a process-algebraic and 
trace-theoretical framework, where the timed game part plays only the supportive role for 
providing a general setting to timed strategies semantics. 



tion level, 2) the robust and intuitive timed- strategies characterisation of the 
refinement and operators, which serves as a simple correctness proof to the 
operator definitions, 3) the linear-time (i.e. double trace sets) characterisa- 
tion of the refinement and operators, which supports the explicit separation 
of assumption and guarantee and interfaces well with automata and learn- 
ing techniques, and 4) the elegant minimal extension of timed automata 
that can distinguish, for the first time, the roles of I/O transition guards 
and invariant/co-invariant as specifying resp. timed safety/liveness assump- 
tions/guarantees, thus making our TIOAs an appealing model for practical 
application of timed AG reasoning. 

Outline. Section |2] introduces a minimal extension of timed automata as our 
formal framework, i.e. timed I/O automata (TIOA) and timed I/O transition 
systems (TIOTS). Based on TIOTSs, we introduce 1) the ± state and the 
auto-_L/semi-± states as incompatibility errors in closed systems and open 
systems resp., and 2) the auto-T and semi-T states as explicit and implicit 
timestop. Based on T- and _L- completed TIOTSs, we define the parallel 
composition operator using the state-to-process lifting technique. 

Section [s] introduces our formulation of timed I/O games, consisting of 
three players, system, environment and coin. Then we define game rules and 
strategies and show that the parallel composition of specifications can be 
reduced to strategy composition. Finally we define refinement as error-free 
substitutivity and give the corresponding strategy characterisation via a so- 
called determinisation procedure that converts imperfect-information games 
into perfect information games. 

Section |4] introduces the concept of realisable specifications as well as the 
coarsened refinement. Then, we introduce the timed synthesis game called 
normalisation and shows that auto-_L/semi-± states are localised version of 
±-winning states in such games. Finally, using the normalised strategies, we 
illustrate what the expected semantics is for the operators like conjunction, 
disjunction and quotient. 

Section |5] gives the operational definition of the operators using a com- 
bined process-algebraic and reactive-synthesis style. We first give the process- 
algebraic definitions (i.e. state-to-process lifting) for the restricted cases 
when operands are all normalised, and show 1) that the composition under 
conjunction and quotient may generate new unrealisable (i.e. time-blocking) 
strategies that is removable by another reactive-synthesis game called realisa- 
tion, and 2) that semi-T/auto-T states are localised version of the T -winning 



states for the realisation game. 

Then we give the reactive-synthesis operational definitions for the gen- 
eral cases when specifications are not normalised. We study how the synthe- 
sis games interfere with each other across the specification boundary under 
different operators. We prove results like the distributivity of normalisa- 
tion/realisation over operations like conjunction, quotient, and determinisa- 
tion. 

Finally, Section [6] uses a case study to illustrate how we can use our novel 
backpropagation to synthesise controllers that can steer a component away 
from undesirable behaviours. Related work is considered in Section [7| while 
we conclude and suggest future work in Section [8j 

2. Minimal TA Extension for Timed Specifications 

In this section we introduce our timed framework, i.e. timed I/O au- 
tomata (TlOA) and timed I/O transition systems (TIOTS). Our frame- 
work has significant differences from the timed models defined by previous 
works [TTl lUl [11]. The distinction mostly lies in that our models are spe- 
cially designed to support the mixed assume/guarantee specifications of com- 
ponents. That is, given a component, we specify both its system guarantee 
and environmental assumption, which are combined and mixed to be repre- 
sented by a single automata. In this respect our specifications are similar to 
timed interfaces proposed by [H]. 

The origin of our framework appeared earlier in our work [10]. However, 
the version presented in this section contains important technical extension 
as well as presentation improvements. 

2.1. Timed I/O Automata 

Specifications in our theory are modelled by timed I/O transition systems, 
which can be compactly represented as timed I/O automata under certain 
restrictions. 

Clock constraints. Given a set X of real-valued clock variables, a clock con- 
straint over X , cc : CC{X), is a boolean combination of atomic constraints 
of the form x txi d and x — y txi d, where x,y & X , ixiG {<, <, =, >, >}, and 

deN. 

Definition 1. A timed I/O automaton (TIOA) is a tuple (C, /, O, L, /°, AT, 

Inv, colnv), where: 
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• C C X zs a finite set of clock variables (ranged over by x,y, etc.) 

• A = I \±i O is a finite alphabet (ranged over by a, b, etc.) consisting of 
the inputs I and outputs O 

• L is a finite set of locations (ranged over by I, V , etc.) 

• l^ & L is the initial location 

• AT C L X CC{C) X A X 2^ X L is a set of action transitions 

• Inv : L — !■ CC{C) and colnv : L — )■ CC{C) assign invariants and 
CO- invariants to states, each of which is a downward-closed clock con- 
straint. 

In the rest of the paper we use / > /' as a shorthand ior {I, g, a,rs,l') G 

AT. g : CC{C) is the enabling guard of the transition, a & A the action, 
and rs the subset of clock variables to be reset. 

Our TIOAs are an extension of timed automata that distinguish input 
from output and invariant from co-invariant. They are designed for the 
assume/guarantee specification of timed components, and can be regarded 
as a simplification of the timed interface automata of [H]. In our frame- 
work, a specification is a combination of the timing assumptions made by 
the component on the inputs issued by the environment along with the tim- 
ing guarantees provided by the component on its outputs. Specifically: 

• Guards on output transitions express safety timing guarantees. The 
component guarantees that an output will only be fired at a point in 
time when it is allowed by a guard. 

• Guards on input transitions express safety timing assumptions. The 
component assumes that the environment will only issue an input at a 
time when it is allowed by a guard. 

• An invariant (at a location) expresses liveness timing guarantees. The 
system guarantees that some output will be fired before the time bound 
specified by the invariant has been exceeded. 

• A co-invariant expresses liveness timing assumptions. The component 
assumes that the environment will issue some input before the time 
bound specified by the co-invariant has been exceeded. 
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Figure 1: Job scheduler and printer controller. 



Example. Figure [T] depicts TIOAs representing a job scheduler together with 
a printer controller. The invariant at location A of the scheduler forces a 
bounded-liveness guarantee on outputs in that location: as time must be 
allowed to progress beyond x = 100, the start action must be fired before 
X exceeds 100. After start has been fired, the clock x is reset to and the 
scheduler waits (possibly indefinitely) for the job to finish. In the case that 
the job does finish, the scheduler expects this to take place only at a time 
point satisfying 5 < a; < 8 (i.e. safety assumption) . 

The controller waits for the job to start, after which it will wait exactly 
1 time unit before issuing print (forced by the invariant y < 1 on state 2 
and the guard y = 1 on the printl transition, acting together as a combined 
liveness and safety guarantee). Then, the controller requires the printer to 
acknowledge the job as having been printed within 10 time units (i.e. co- 
invariant ?/ < 10 in state 3 acting as bounded-liveness assumption). After 
receiving the acknowledgement, the controller must indicate to the scheduler, 
within 5 time units, that the job has finished. 

2.2. Timed I/O Transition Systems 

Formally, the semantics of TIOAs are given by a minimal extension of 
timed transition systems, which are a special class of infinite labelled transi- 
tion systems enhanced with two distinguished states T and _L. 

Definition 2. A timed I/O transition system (TIOTS) is a tuple V = 
{I,0,S, s°,— 7-), where I and O are the input and output actions respec- 
tively, S = {L X M.'^) l±l {±, T} is a set of states, s'^ E S is the designated 



initial state, and — i-C S x (/ l±l (9 l+l ^ 
transition relation. 



P°) X S is the action and time-labelled 



Plain states. A clock valuation over C is a map t that assigns to each clock 
variable a; in C a real value from M-°. A state of the TIOTS is a pair drawn 
from L X M'" (i.e. the location and clock valuation pair), which we refer to 
as the set of plain states. 

In addition, we introduce two special states _L and T. These can be 
explained from a game-theoretic perspective. _L represents the violations of 
the assumptions on the environment, while T represents the violations of the 
guarantees by the system. Therefore, the system tries to avoid T, while the 
environment tries to avoid _L. The trivial TIOTS with T (resp. _L) as the 
initial state is called the T -TIOTS (resp. J^-TIOTS). 

Notation. In the rest of the paper we use p,p',Pi to range over plain states 
P = L X M*" while s, s', Sj range over S. Furthermore we define M = / W 
O l±l ]R^° to be the set of timed actions, tl = I \±i R^*^ to be the set of timed 
inputs, and tO = \±i ]R^° to be the set of timed outputs. Symbols like a, /3, 
etc. are used to range over tA. 

A timed trace (ranged over by tt, tt' , tti etc.) is a finite mixed sequence of 
positive real numbers (M^*^) and visible actions such that no two numbers are 
adjacent to one another. For instance, (0.33, a, 1.41, b, c, 3.1415) is a timed 
trace denoting the observation that action a occurs at 0.33 time units, then 
another 1.41 time units elapse before the simultaneous occurrence of b and 
c, which is followed by 3.1415 time units of no event occurrence. The empty 
trace is denoted by e. An infinite timed trace is an infinite such sequence. 

We use l{tt) to indicate the duration of tt, which is obtained as the sum 
of all the reals in tt, and use c{tt) to count the number of action occur- 
rences along tt. Concatenation of timed traces tt and tt', denoted tt ^ tt' , 
is obtained by appending tt' onto tt and coalescing adjacent reals (summing 
them). For instance, (a, 1.41) ""(0.33,^,3.1415) = (a, (1.41 + 0.33), 6,3.1415) 
= (a, 1.74, 6,3.1415). 

Prefix/extension are defined as usual by concatenation. We write tt \ IAq 
for the projection of tt onto timed alphabet IAq, which is defined by removing 
from tt all actions not inside tAo and summing up adjacent reals. 

Determinism and Non-zenoness. We say a TIOTS is deterministic iff there 
is no ambiguous transition, i.e. s ^ s' A s ^ s" implies s' = s". It is time 
additive providing p — — ^ s' iff p -^ s and s -^ s' for some s. 

For a TIOTS V, we use p ^ p' to denote a finite execution starting from 
p that produces trace tt and leads to p'. Similarly, we can define infinite 
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executions which produce infinite traces on V. An infinite execution is zeno 
iff the action count is infinite but duration is finite. 

We say a TIOTS V is non-zeno providing no plain execution is zeno. V 
is strongly non-zeno iff there exists some k E N s.t., for all plain executions 
p =^ p' , it holds that l{tt) = 1 implies c{tt) < k. Here, we say a finite or 
infinite execution is a plain execution iff the execution only visits plain states. 

Assumption on TIOTSs. We only consider non-zeno time-additive TIOTSs 
in this paper. For technical convenience (e.g. ease of defining time additivity 
and trace semantics), the definition of TIOTSs requires that T and ± are 
chaotic states, i.e. a state in which the set of outgoing transitions are all 
self-loops, one for each a G tA. 

The strong non-zenoness is not an assumption of our theory. But with 
this additional requirement we can show that the synthesis and verification 
theory in this paper is fully automatable. 

2.3. From TIOAs to TIOTSs 

In this section we show how to derive a TIOTS that represents the se- 
mantics of a TIOA. 

T/± completion. We first introduce two semantics-preserving transforma- 
tions on TIOTSs, which give an explicit representation for assumption and 
guarantee violations. The ^--completion of a TIOTS V, denoted P-*", adds an 
a-labelled transition from p to 1. for every p E P {= L x M*-^) and a G / s.t. 
a is not enabled at ^^jj The T -completion, denoted V^ , adds an a-labelled 
transition from p to T for every p E P and a E tO s.t. a is not enabled at 
p. This coincides with our game-based interpretation of T and _L, since: 

1. a disabled input at a plain state is represented as an input transition 
to _L (assumption violation) 

2. a disabled output at a plain state is represented by an output transition 
from that state to T (guarantee violation) 

3. a disabled delay is represented by a delay transition to T (guarantee 
violation) . 



^_L-conipletion will make a TIOTS input-receptive, i.e. input-enabled at all states. 
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The mapping of disabled delays to T looks surprising, since time is neither 
controlled by the system or environment. Our bias towards T is due to a 
decision made relating to urgency semantics. 

In classical semantics without I/O distinction, if a state has no delay 
transition enabled, then some action becomes urgent for firing. For I/O 
systems, if a state has no enabled delay transition, we have to choose either 
the inputs or the outputs (enabled at that state) to become urgent. 

The above mapping of disabled delays to T implies we choose to make 
outputs urgent, since the pending T (guarantee violation) implies the system 
cannot let time pass and so must fire with urgency other transitions under 
its control (i.e. an output transition). 

T/± removal. The inverse operations of T/± completion, called T/± re- 
moval, are also semantic-preserving transformations. For instance, T-removal 
removes all output and delay transitions from plain states to T in the TIOTSs. 

We can now give the execution semantics of TIOAs in term of T/±- 
removed TIOTSs, since it will make the mapping simpler. 

Clock valuation. We say a clock valuation t satisfies a clock constraint cc, 
written t G cc, if cc evaluates to true under valuation t. t + d denotes 
the valuation derived from t by increasing the assigned value on each clock 
variable by c? G ]R-° time units. t[rs i— )■ 0] denotes the valuation obtained 
from t by resetting the clock variables in rs to 0. Sometimes we use for the 
clock valuation that maps all clock variables to 0. 

Definition 3. The semantic mapping of a TIOA V is a TIOTS {I, 0, S, s", 

— )■) with: 

• set of states S = {L x R^) W {±, T} 

• initial state s° = T providing ^ Inv{l^), s° = ± providing G 
Inv{l^) A -icoInv{f) and s" = (/°,0) providing G Inv{l^) A coInv{l^), 

• a transition relation — t-C 5" x (/ I±I I±I M^") x S being the smallest 
(time- additive) relation such that: 

1. T and ± are chaotic states, 

2. // / ^^^ /', t' = t[rs ^0], t e Inv(l) A colnv(l) A g, then: 

(a) plain action: (/, t) — )■ (/', t') providing t' G Inv{l') A coInv{l') 
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(b) magic action: (/, t) — )■ T providing t' G -ilnv{l') and a & I 

(c) error action: (/, t) — )■ -L providing t' G Inv{l') A -^coInv{l') 
and a E O. 

3. plain delay: (/, t) ^ {l,t + d) if t,t + d E Inv{l) A coInv{l) 

4. time-out delay: (/, t) ^^ J^ if t E Inv{l) A coInv{l) and t + d E 
Inv{l) A-.co/n^(/)0 

In TIOAs we do not have explicit T and _L. This is because we interpret 
a configuration (/, t) as T if t violates the invariant in location / and we 
interpret a configuration (/, t) as _L if t violates the co-invariant in location / 
(while the invariant holds). The two types of configurations are collectively 
called illegal configurations. Sometimes we simply represent a location with 
true as the invariant and false as co-invariant by ±. Dually, we have a T 
location. 

The TIOTS attempts to track the configuration of the TIOA, and directly 
maps the illegal configurations to T and _L. Furthermore, our TIOTS does 
not contain transitions that are T/±-removable. As a consequence, only 
output and delay transitions go to ± and only input transitions go to T. 

Note that our interpretation gives priority to the invariant (cf the oc- 
currences of the condition Inv A -icolnv in the above definition). If a delay 
exceeds the invariant bound before exceeding the co-invariant bound, the 
delay transition goes to T, which is modelled as a disabled transition; if a 
delay exceeds the co-invariant bound before exceeding the invariant bound, 
the delay transition goes to ± (i.e. time-out delay). However, if a delay 
exceeds both bounds simultaneously, the delay transition goes to T (i.e. as 
a disabled transition). 

2.4- Parallel composition 

In the rest of the paper, we will develop our theory on top of TIOTSs, 
which are endowed with a richer repertoire of semantic machineryjj In par- 
ticular, we will use T/±-completed TIOTSs extensively, since the nice dual- 
ity possessed by T/±-completed TIOTSs can simplify our presentation a lot. 



^Note that by time additivity and the chaotic nature of _L: p — ^ _L imphes p — > _L for 
all d' > d. 

'^Furthermore, we will not restrict ourselves to TIOTSs mapped from TIOAs. 
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Figure 2: Parallel composition illustrated 



But, from time to time, we will also use T/±-removed TIOTSs or even T/±- 
free TIOTSs, because, without T and _L, the TIOTSs are essentially classical 
I/O transition systems [I71I25], enabling us to tap into classical semantics. 

Therefore, we will freely switch between the two levels of semantics in 
the sequel: T/±-completed TIOTSs and T/±-removed TIOTSs. Sometimes, 
when defining a new construct, the intuition is strong and clear on one level, 
but not on the other. So we will formulate the construct on the former and 
then extrapolate into the latter. 

Let us start with the parallel composition operator, the most important 
operator in a specification theory. We will define the operator on top of 
T/_L-completed TIOTSs. But the intuition comes from the definitions with 
classical semantics. 

The example ^4 || i? of untimed I/O transition systemajin Figure^shows 
the case of parallel composition of two processes, one with output a disabled 
and the other with input a enabled. According to classic semantics, this will 
produce an output which is disabled. If we move the example into the level 
of T/±-completed TIOTSs (i.e. N || B'\ this means T in parallel with a 
plain state gives rise to the product state T (i.e. T || ]9 = T). Similarly, if 
we have two processes C || D, on which input a is disabled on one process 
and output a is enabled on the other, then their parallel composition should 
generate an output action leading to err^ which if mapped into the level of 
T/_L-completed TIOTSs gives rise to _L || ;) = err. The err state models 
error-trapping states like those employed in the mechanisms of exception 



^Convention: plain states are unmarked while the T and _L states are marked by T and 
_L resp. To simplify drawing, multiple copies of T and _L are allowed but the self-loops on 
them are omitted. 
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or timeout. Since we cannot interpret err as T, the only option left is to 
interpret it as _L. This gives rise to our definition of the parallel composition. 

Parallel composition. Starting with the parallel composition operator, this 
paper will introduce a series of four operators for process composition, all of 
which are a variant of the synchronised product operator. In order to obtain 
a modular structure and factor out the variations amongst operators, we 
adopt a two-step approach. In the first step we define a state composition 
operator and an alphabet composition operator. In the second step, we 
use the state-to-process lifting technique, defined as a generic synchronised 
product operator, to lift the composition to the process level. 

A generic synchronised product operation ]^^ is a binary process compo- 
sition operation parameterised by another binary polymorphic operation 0. 
That is, ® needs to be defined both as a state composition operation and as 
an alphabet composition operation. 

State-to-process lifting. Given two T/±-completed TIOTS, Vi = {li, Oi, Si, s°, — )-j 
) for 2 G {0, 1}, satisfying Sq H Si = {±, T}, Vq H® "Pi gives rise to a new 
T/±-completed TIOTS P = {I, O, S, s°, ^) s.t. (/, O) = (/q, Oq) ® {h, Oi), 
S = {PqX Pi) W Po W -Pi W {T, ±}, s^ = s^(S) s? and -^ is the smallest relation 
containing — t-q U — T-iQand satisfying the rules: 

PO^QSq Pl^'lSi PO^QSq a^Ai pi^is^ a^Ap 

a. , , a . °-K I 

PO^Pl — rsQ^s[ Po<^Pi — 7-Sq^pi Po^Pi — rpQ^s[ 

The parallel composition operation is an instantiation of the generic syn- 
chronised product by the polymorphic operation ||, i.e. Ylu. The associated 
interpretation of sq \\ si is supplied in Table [I] while (/q, Oq) \\ (/i, Oi) is 
defined to be ((/q U /i) \ {Oq U Oi), Oq U Oi) under the assumption that 
Oq n Oi = {}, i.e. Vo and Vi have \\-composable alphabets. 

In Table o] the ||-product state is in T (or ±) if one of the component 
states is in T (or ±). If they are simultaneously (i.e. one each) in T and 
T will have priority and the product will be TJ 



^Containment of — ^-q U — ^i is not required for parallel composition definitions but is so 
for conjunction and disjunction definitions in the sequel. 

®If the TIOTSs are derived from TIOAs with disjoint clocks, then we define po x pi for 
plain states pi = {k, U) with i e {0, 1} as ((/o, ^i), h W ^i)- 
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Pi 



T po L 

T T T 

T poxpi -L 

T ± ± 

Table 1: State ||-product. 



The definition of tlie parallel operator can be lifted to TIOAs (c.f. Ap- 



pendix A). 



2.5. Incompatibility errors and timelocks 

Wlien two components are composed, the parallel composition automat- 
ically checks whether the guarantees provided by one component meet the 
assumptions required by the other. For instance, the arrival of an input at 
a location and time of a component when it is not expected (i.e. the input 
is disabled at the location and time) triggers a safety error (aka exception) 
in the parallel composition. Or the non-arrival of an expected input at a 
location before its timeout (specified by the co-invariant) triggers a hounded- 
liveness error (aka timeout) in the parallel composition. 

Formally, we have two possible ways to characterise the incompatibility 
errors (i.e. exception and timeout), one based on closed systems while the 
other on open systems. 

For closed systems, it is obvious that safety errors are simply actions 
(i.e. output) transitions leading to ±, while bounded-liveness errors are delay 
transitions leading to _L. Thus a closed system is free of incompatibility errors 
iff it is free of _L, i.e. _L is not reachable in the system. This characterisation 
is very robust, working for both the theory with the timestop capability 
and the theory without. Actually, we will use it as a basis for defining the 
refinement relations in both theories. The first refinement will be used as an 
stepping stone to build the second one. 

For open systems, however, the characterisation is less obvious. Below 
we use detailed analysis of two examples to illustrate incompatibility errors. 
Note that the open-system characterisation is only meaningful for the theory 
without the capability to stop time. For the theory with timestop capability, 
since an environment can use T to steer any component out of _L, it is not 
meaningful to examine incompatibility errors before a system is fully closed. 

Examples: exception. Figure [3] shows the parallel composition of the job 



scheduler with the printer controller (c.f. Appendix A). In the transition 
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Figure 3: Parallel composition of the job scheduler and printer controller. 
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Figure 4; Bounded liveness error. 

from B4 to Al, the guard combines the effects of the constraints on the clocks 
X and y. As finish is an output of the controller, it can be fired at a time 
when the scheduler is not expecting it, meaning that an exception is raised 
due to safety errors. This is indicated by the transition to _L when the guard 
constraint 5 < x < 8 is not satisfied. 

Technically speaking, an exception is modelled by auto-_L. We say a plain 
state p is an auto-1. state iff j» — )■ _L for some a E 0. Obviously auto-_L is 
insensitive to ±-removal. 

Intuitively, an exception is an uncontrollable (i.e. by the environment) 
action transition to _L, i.e. the system can independently execute the action 
transition and go to _L no matter how the environment behaves. In contrast, 
a TIOTS might also have controllable action transitions to _L, e.g. input 
transition to _L, whose occurrence depends more on the environment than 
the system. 



Examples: timeout. Another example to show bounded-liveness errors is 
given in Figure |4J In the closed system P || Q, at location B2 the sys- 
tem is free to choose either output finish after y > 2 or delay until x > 3. If 
it chooses the latter, V component will time out in location B and the system 
will enter ±. Note that the timeout here is due to the fact that the urgency 
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requirement at location 2 of Q (i.e. y <= 4) is weaker than the timeout 
bound set at location B oi V (i.e. x <= 3). (If it is otherwise, the invariant 
at B2 will preempt the co-invariant at 52 and eliminate the possibility of 
timeout.) 

Technically speaking, a timeout is modelled by semi-±. We say a plain 
state p is a semi-1- state iff 1) all input transitions in p or any of its time- 
passing successors lead to ±, and 2) there exists d G M?"^ s.t. p ^ -L. Thus 
a semi-± represents a point in time from which on the environment has no 
safe input that it can use to interrupt the system's delay process into X. 
Our definition is based on T/±-complete TIOTSs. It is easy to see semi-_L 
is not affected by ±-removal. Thus we can extrapolate the definition onto 
T/±-removed TIOTSs as well. 

Intuitively, a timeout is an uncontrollable delay transition to _L, i.e. the 
system can independently execute the delay transition and go to _L no matter 
how the environment behaves. In contrast, a TIOTS might also have con- 
trollable delay transitions to ±, e.g. delay transition to ± with input exits, 
where the environment can interrupt the delay process by inputting at the 
proper moment. In Section |4] we will use timed games to formalise these 
intuitions. 

For open systems, a ±-free TIOTS is free of auto-_L but is not necessarily 
free of semi-±. Indeed, ±-freedom here is neither a sufficient nor necessary 
condition for an open system to be free of incompatibility errors, which, 
instead, corresponds (informally) to a system free of auto-_L and semi-±. A 
more formal definition will have to wait until Section HI 

Similarly to equating ± to the error-trapping state of classical I/O sys- 
tems, we can also explain T within the classical I/O framework (i.e. without 
relying on intuitions like assumption/guarantee violations) by augmenting it 
with a timestop state. Timestop models the operation of stopping the system 
clock and in our context means the freezing of global time. We equate T to 
timestop. Thus, T represents the magic moment from which the global time 
(or the whole system) stops elapsing (or running), consequently eliminating, 
once and for all, all subsequent possibility of errors. From an environment's 
point of view we assume that T refines plain states, which in turn refine 
_L. Timestop can explain the behaviour of T in parallel composition: the 
equation ± || T = T holds because time stops exactly at the moment the 
error-trapping mechanism is triggered, so the resulting state is a timestop. 
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rather than _L. 

Dual to auto-_L and senii-_L, we can also define notions like auto-T and 
semi-T. We say a plain state p in a T/±-coniplete TIOTS is an auto-T iff 
j» — )■ T for some a E I. We say a plain state p is a. semi-T iff 1) all output 
transitions in p or any of its time-passing successors lead to the T state, and 
2) there exists d G ]R>° s.t. p ^ T. 

We cannot fully explain the intuitions behind auto-T at this stage. But, 
for semi-T, it models a generalisation of timelock to open systems. Here we 
need to switch back to T-removed semantics for TIOTSs, where the intuition 
of timelock is clearer. 

On a closed (T-removed) TIOTS, the definition of timelock coincides with 
that on classical TAsj (i.e. TAs without I/O distinction). We call a plain 
state p a timelock if 1) no action transition is enabled in p or any of its 
time-passing successors, and 2) there exists d G M^" s.t. d is not enabled in 
p. 

Sem,i-T as tim,elock for open systems. The definition of semi-T can be spe- 
cialised for T-removed TIOTSs. We say a plain state p is a semi-T iff 1) 
no output transition is enabled in p or any of its time-passing successors, 
and 2) there exists d G M^" s.t. d is not enabled in p. Obviously semi-T 
is a generalisation of timelock to open systems, which models the scenario 
that the component has no option but to stop the progress of time if the 
environment does not intervene in time. 

Like the case for T-freedom, a T-free TIOTS is free of auto-T but is not 
necessarily free of semi-T. Thus, timelock is independent of timestop, which 
confer on the component an implicit capability to stop time. 

Before moving on to the next section, we make a few observations as 
summary: 

• We model errors arising from assumption/guarantee mismatches by 
auto-T and semi-T states and we model timelock by semi-T. 

• When two components are composed in parallel, new errors will be 
generated but no new timelock (or auto-T) will be generated. 



^Due to our non-zenoness assumption, our timelock can be shown to be a local and 
strengthened version of the timelock defined as in [5] . 



This non-duality in the effect of parallel composition is largely due 
to the non-symmetric treatment of input and output in the parallel 
composition: the synchronisation of an input and an output gives rise 
to an output. For example, in Figure |4| the component V in location 
B is not a semi-_L since it has an outgoing input transition finish. But, 
after parallel composition, the input becomes output and 52 contains 
a semi-±. 



3. Timed I/O Games and Refinement 

We have used game-based intuitions to introduce T and ± as assumption 
and guarantee violations resp. Now let us elaborate further and formalise 
the timed-game framework, whereby the component and an environment, 
controlling timed outputs and inputs, respectively, play a T/±-reachability 
game in which the component tries to avoid reaching T, while the environ- 
ment tries to avoid reaching _L. Previously there have been works on timed 
game framework [3 [H]. But our formulation has important differences (cf 



the discussion at the end of Section 5.2). 



3.1. Tinned I/O Games 

In our timed I/O game, a TIOTS encodes the set of strategies possible for 
the component in the game. An environment for a TIOTS V is any TIOTS 
Q such that V and Q have complementary alphabets, meaning I-p = Oq and 
0-p = Iq. Q encodes the environmental strategies. 

The formal definition of (timed) strategies is given below: 



A strategy ^ is a deterministic tree TIOTS ^"^ s.t. each plain state in Q 
is ready to accept all possible inputs by the environment, but allows a 
single move (delay or output) by the component. 

That is, the set of enabled timed actions in any state p oiQ is I\i)mvg{p), 
where mvg{p) is the enabled component move, being either {a} for 



^°We say an acyclic TIOTS is a tree if 1) there does not exist a pair of transitions in 
the form of p — > p" and p' — > p", 2) p — > p" A p' —> p" implies p = p' and a = b and 3) 
p — > p" A p' — > p" implies p ~ p' . 
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some a E O or a time intervaPM The time interval here can be either 
infinite, i.e. (0, oo), or finite, i.e. [0, d] for some d G M.^^. (Note 
that (0, d] is the set of all enabled delay at a state. Thus, due to time 
additivity, d should be the maximal delay allowable by the strategy 
TIOTS from that state. In another word, the move proposed at the 
new state after firing d must be an action move, say a^^ 



Given TIOTSs V and V with identical alphabets (i.e. = 0' and 
/ = /'), we say P is a partial unfolding [21] of V if there exists a 
function f : S-p ^f S-pi such that 1) / maps T to T, ± to _L and plain 
states to plain states, and 2) /(sp) = s^, and p -^-p s =^ f{p) -^-pi /(s). 

We say a TIOTS V contains a strategy ^ if ^ is a partial unfolding of 

We say a simple-path TIOTSqJL is a run of P if L is a partial unfolding 
of P. 



The set of strategies'"^ contained in V is denoted as the extension [P]. 
Since it makes little sense to distinguish strategies that are isomorphic, we 
will freely use strategies to refer to their isomorphism classes and write Q = Q' 
to mean Q and Q' are isomorphic. 

Let us give some examples in Figure [5] For the sake of simplicity we use 
two untimed transition systems P and Q, with identical alphabets / = {e,/} 
and O = {a, 6, c}, to illustrate the idea of strategies. The transition systems 
use solid lines while strategies use dotted lines. We show four strategies of P 
and two strategies of Q on the right hand side of P and Q resp. in Figure |5] 
(They are not the complete sets of strategies for P and Q.) Note that the 
strategies 3 and 4 owe their existence to the T-completion. 



^^Note that all invariants and co-invariants are downward-closed. Thus, a delay move 
can be represented as a time interval from to some d € M-^ or to infinity. 

^^That is, at each state a strategy proposes either a (d, a) move (for d > 0) or a cx) 
move. 



We say an acyclic TIOTS is a simple path if 1) p — > s' A p — > s" implies 5' = 5" and 

a and 
In this 
alphabets. 



a ~ a and 2) p —^ s' /\ p — > s" implies s' = s" . 

^''in this paper we use a set of strategies (say F) to mean a set of strategies with identical 
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Figure 5: Strategy example. 

Game rules. When a component strategy Q is played against an environment 
strategy Q', at each game state (i.e. a product state pg x pgi) Q and Q' each 
propose a move (i.e. mvg{pg) and mvg'{pg')). If one of them is a delay and 
the other is an action, the action will prevail. If both propose delay moves 
(i.e. mvg{pg),mvgi{pgi) C ]R-°), the smaller one (w.r.t. set containment) 
will prevail. 

Since a delay move proposed at a strategy state is the maximal delay 
allowable at that state and the next move must be an action move, a play 
cannot have two consecutive delay moves. 

If, however, both propose action moves, there will be a tie, which will be 
resolved by tossing the coin. For uniformity's sake, the coin can be treated 
as a special component. A strategy of the coin is a function h from tA* to 
{0, 1}. We denote the set of all possible coin strategies as H . 

Remark. Our game rules are consistent with those found in [m [1] . But our 
use of the rules is different. In [TH U], there is no restriction that the rules 
must be applied on a pair of pre-determined strategies that propose only 
maximal delay moves. So if both players propose delay moves in one round, 
the winning side (with smaller delay) can still propose a second delay move 
in the next round. This creates complications like time-blocking strategies 
and blame assignment RU 



Strategy composition. A play of the game can be formalised as a composition 
of three strategies, one each from the component, environment and coin. 
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denoted Q-p ^h Gq- At a current game state p-p x j)q, if the prevailing action 
is a and we have p-p — )■ sp and Pq ^ sq, then the next game state is sp || sq. 
The play will stop when it reaches either T or ±. The composition will 



produce a simple path L that is a run of V || Q.^^ i.e. either an infinite plain 
run or a finite run ending in T/±. There is no possibility of finite plain run, 
as is possible in [HI [T] by playing an infinite sequence of delay moves that 
converges. 

Strategy composition can be generalised to composition between any pair 
of strategies Qp Xh Qq with \\-composahle alphabets. That is, Op fl Oq = {}. 
For such V and Q, Qp Xj^ Qq gives rise to a tree rather than a simple-path 
TIOTS. That is, at each game state pp x j>g, besides firing the prevailing 
a G tOp U IOq, we need also to fire 1) all the synchronised inputs, i.e. 
e G Ip n Iq, and reach the new game state sp \\ sq (assuming pp — )■ sp and 
Pq — )■ Sq) and 2) all the independent inputs, i.e. e G {Ip U Iq) \ {Ap fl Aq), 
and reach the new game state sp \\ pq or pp \\ sq. 

The generalisation enables us to reduce parallel composition on processes 
to strategy composition: 

Lemma 1. For W-composable TIOTSsV and Q, [V \\ Q] = [V] x [Q], where 
we define T xV = {G x^g' \ g e T,g' G V and h G H}. 

3.2. Refinement, Determinisation and Strategy Characterisation 

A TIOTS is a refinement of another if it will work in any environment 
that the original worked in without introducing safety or bounded-liveness 
errors. Here we use the the closed system version of incompatibility errors 
to formulate the definition. 

Definition 4 (Substitutive Refinement). LetVimp andVspec be TIOTSs 
with identical alphabets. Vimp refines Vspec, denoted Vspec ^ Vimp, iff for all 
environments Q, Vspec \\ Q is ±-free implies Vimp \\ Q is -L-free. We say Vimp 
and Vspec are substitutively equivalent, i.e. Vspec - Vimp, W Vimp ^ Vspec 

aiia I spec — ' imp • 

Alternatively, if we view Vimp and Vgpec as two ±-reachability games and 
replace parallel composition by strategy composition, the refinement can be 



^^V II Q gives rise to a dosed system (i.e. the input alphabet is empty), a run of T' || Q 
is a strategy of V \\ Q. 

22 



defined as a comparison on how challenging each game is for the environment. 
In the games, the component and coin collaborate trying to reach ± whilst 
the environment tries to avoid reaching _L. Therefore, Vspec ^ Vimp iff, all 
environment strategies winning in game Vspec are also winning in game Vimp- 
Here we say an environment strategy Qe is winning in game V (or winning 
against strategy set [P]) iS Qe X/i ^ is -L-free for all Q G [V] and h E H. 

Obviously, "P ~ Q is related but not equivalent to the set containment 
between [P] and [Q]; [Q] C [V] implies P ~ Q but the converse is not true. 
This failure of the equivalence is largely due to the phenomenon of implicit 
strategies. 

Formally, we say a strategy Q ^ [P] is an implicit strategy of [P] iff all en- 
vironment strategy winning against strategy set [P] are also winning against 
[P] U {Q}- Thus, a general principle to formulate a strategy-based semantics 
is to perform some closure operation on [P] s.t. all implicit strategies become 
included. 

Given [P], the set of its implicit strategies depends on the refinement 
order under consideration. With respect to ~ there are two sources of implicit 
strategies. 

The first is due to the existence of an ordering on strategies; some strate- 
gies are by nature more aggressive than the others. 

Comparing strategies. When the game is played, the component tries to avoid 
reaching T while the environment tries to avoid reaching ±. Different strate- 
gies in [P] vary in their effectiveness to achieve the objective. Such effec- 
tiveness can be compared if two strategies closely resemble each other: we 
say Q and Q' are affine ii Sg ^ p and Sg, =^ p' implies mvg{p) = mvgi{p'). 
Intuitively, this means Q and Q' propose the same move at the 'same' states. 
For instance, the strategies 1, 3 and A in Figure [5] are pairwise affine, and so 
are the strategies 2, 4 and B. 

Given two affine strategies Q and Q\ we say Q is more aggressive than Q' , 
denoted Q :< Q', if 1) Sg, =^ ± implies there is a prefix tto of tt s.t. Sg =^ _L 

and 2) Sg ^ T implies there is a prefix tto of tt s.t. Sg, =^ T. Intuitively, 
it means Q can reach ± faster but T slower than Q'. :< forms a partial 
order over [P], or, more generally, over any set of strategies with identical 
alphabets. For instance, strategy A is more aggressive than 1 and 3, while 
strategy B is more aggressive than 2 and 4. 

When the game is played, the component P prefers to use the maximally 
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aggressive strategies in \P ^^ Thus, two components that differ only in non- 
maximally aggressive strategies should be equated. We define the strategy 
semantics of component V to be \P\ = [V]-, i.e. the upward- closure of [V] 
w.r.t. :<. 

The other source of implicit strategies is due to the imperfect information 
of our game. That is, given a partial play tt of a non-deterministic game V, 
there are a number of possible states (say Su) that can be reached. It is 
the component and coin, not the environment, that knows which of Su is 
chosen as the next game state. This entitles the former to have implicit 
strategies, which are hybrid strategies generated through decomposing and 
re-combining the strategies of different states in Su- For instance, strategy 
^ is a hybrid of strategies 1 and 3 in Figure [5j 

Such implicit strategy can be made explicit by converting an imperfect 
information game into an (equivalent) perfect information game. Below we 
propose a modified subset construction procedure to perform such conversion. 

We define the determinisation V^ of a _L-complete TIOTS "P as a modi- 
fied subset construction procedure on V: given a subset 5*0 of states reachable 
by a given trace, we only keep those which are minimal w.r.t. the state re- 
finement relation. So if the current state subset 5*0 contains _L, the procedure 
reduces 5*0 to ±; if ± ^ 5*0 7^ {T}, it reduces 5*0 by removing any possible T 
in 5'orJ For example. Figure M contains two T/±-removed TIOTSs P and 
Q. If we apply the above procedure to P^ the resultant TIOTS will be Q^. 



Dl^ 



Given any TIOTS V, we can verify V ~ V^ even though [P]- C [V 

Proposition 1 (|10]). Any TIOTS V is suhstitutively equivalent to the de- 
terministic TIOTS V^ . 



For instance, in Figure [s] we have {P'^)^ = Q'^, but [P]- ^ [Q]- since 1, 
2, 3 and 4 are strategies of [Q]- (due to upward-closure w.r.t. :<) but A and 
B are not strategies of [P]-- 

There might be further sources of implicit strategies with respect to 
coarser refinements than ~. But, for the two sources of ~, we can give 
a uniform and collective characterisation. That is, we say a strategy Q' ^ T 



^^This is because our semantics/refinement is designed to preserve _L rather than T. 

^^For a more detailed definition of transforming non-deterministic systems into 
substitutivity-equivalent deterministic systems, we refer readers to the Definition 4.2 
in [25]. That is for the untimed case. 
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is a c:^-i'mplicit strategy of the strategy set T iff Sg, ^ s' implies there exists 

Sg =^ s for some Q & T s.t. either both executions are plain executions or 

execution Sg, =4> s' reaches T earlier or ± later than Sg ^ s. We denote by 
r-^ the c^-implicit strategy closure of V. 

Define [P] = [P]^ ■ Then | ■ ] characterises exactly the substitutive equiv- 
alence ~. 

Theorem 1 ([lO]). Given TIOTSs V and Q, V ^ Q iff [Q\ C (V]. 
4. Realisability Restriction and Coarsened Refinement 



Section 3.2 gives a substitutive refinement and its strategy characterisa- 
tion. [To] further prove that ~ is a congruence w.r.t. the parallel, conjunc- 
tion, disjunction and quotient operators, thus giving rise to a simple and 
elegant compositional specification theory]^ 

However, one drawback of such a theory is that we allow unrestricted 
strategies for the component and environment in the game play. In another 
word, the component and environment may apply timestop-like operations 
(i.e. timestop and timelock) directly against each other. 

The timestop-like operations greatly increase the distinguishing power of 
the environment, giving rise a finest possible equivalence ~. It also equips 
the environment with the capability to steer components away from incom- 
patibility errors (_L) under all possible situations, thus making conjunction 
and quotient a fully defined operator. 

In general, such capabihty is too powerful to be realistic. Certain real- 
world systems might have an inherent ability to stop the system clock, e.g. 
in embedded systems and circuit design [121 [20] or in a controlled execution 
environment like simulation or testing. However, for even larger class of 
applications, the suspension of clocks is arguably neither meaningful nor 
realisable. 

Thus, in the rest of the paper we will develop a theory that can remove 
timestops and timelocks, to keep only the so-called realisable behaviours. 
Note that, even for such timestop-free systems, T can play the important 
role of being an imaginary state exploited at the intermediate steps of theory 



^^ Actually the theory in [TOj is developed in a more general setting, where the assumption 
of non-zenoness is removed. 



25 



development and thus greatly simplifying operator definitions like quotient 
and conjunction. 

We focus on realisable systems from hereon, and simply call TIOTSs free 
of T and semi-Tp^ specifications. Therefore, we are returning to the classical 
I/O systems equipped with error-trapping states. As can be demonstrated, 
operations on components such as parallel composition, renaming, hiding 
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and determinisation preserve T and semi-T freedom 

Hence, we offer a classical I/O system as a user interface so that compli- 
cations like timestops and timelocks are hidden from view and components 
and environments use only realisable strategies to interact with one another. 
Formally we say a strategy is realisable iff it is free of T and semi-T. We 
often use C to denote a realisable strategy. 

The rest of this section leaves the world of T/_L-complete TIOTSs and 
deals exclusively with specifications. Furthermore, we assume all specifica- 
tions are _L-complete in order to simplify presentation. 

The definition of Y[\\ (and hence ||) can be extended without modification 



to work on ±-complete TIOTSs,^ As parallel composition preserves T and 
semi-T freedom, || can be directly used as an operation on specifications. 
In addition, since strategies are _L-complete TIOTSs, we can freely parallel- 
compose a strategy with a component in the sequel. 

Realisable refinement. Based on the parallel operator we can re-define the 
substitutive refinement on top of specifications: Let V and Q be specifications 
with identical alphabets. V realisably refines Q, denoted Q ^^ V, iff, for all 
environment specifications TZ, Q \\ TZ is ±-free implies P || 7?. is ±-free. We 
say V and Q are substitutively equivalent., i.e. Q ^r V, iff P ^^ Q and 

Q ^r V. 

Note that in the definition 1) both the component and environment are 
restricted to realisable ones and 2) the incompatibility errors utilised are 
the closed system version. It is obvious that ~r. is the weakest equivalence 
preserving ±. In the sequel we show that ~r is a congruence w.r.t. the 



^^This, combined with our non-zenoness assumption on TIOTSs, implies that no com- 
ponent in our reahsable theory is time-blocking. 

^°This is in contrast to the case of synchronised product on timed components without 
I/O distinction, where new timelocks can be generated. 

^^With the extension, synchronisation failures, i.e. an action being enabled on one 
process but not so on the other, becomes possible. 
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parallel ||, conjunction A, disjunction V and quotient % operators. 

Recall that our determinisation is directly defined on ^-complete TIOTSs. 
On specifications, it is easy to verify that determinisation preserves T and 
semi-T freedom as well as the substitutive equivalence, i.e. V ~r T^^ ■ 

With determinisation, imperfect-information games can be converted into 
perfect-information games. Based on the latter, we can formalise the notion 
of incompatibility errors for open systems. 

Given a perfect-information game V^ in which the collaboration of the 
component and coin play against the environment for the objective of _L- 
reachability, we say a plain state p in V^ is ^--winning iff there is no (re- 
alisable) environment strategy winning in game V^{p). In another word, 
starting from state p, the component and coin can collaborate to win the _L- 
reachability game. Here we use the notation V{p) to denote the specification 
V with the initial state changed to p. 

Obviously, semi-± and auto-± states are ±-winning states (under realis- 
ability restriction) and without realisability restriction no state in game V^ 
is ±-winning. 

Semi-± and auto-_L are one of the most representative subclass of _L- 
winning states; the absence of semi-_L and auto-_L effectively captures the 
absence of _L-winning states. 

Lemma 2. A deterministic specification is free of ^--winning states iff it is 
free of semi- 1. and auto--L. 

Based on this observation we can formalise the notion of incompatibility 
error freedom for open systems. We say an (open) TIOTS V is error-free iff 
V^ is free of auto-_L and semi-±. From this definition it is easy to see that 
the perfect information requirement is necessary here since determinisation 
can introduce new semi-±. 

4.I. Strategy characterisation 0/ ~r 

The definition of strategies and notation [V] can be reused on specifica- 
tions. It is easy to verify that specifications contain only realisable strategies 
and specification || -composition can be reduced to (realisable) strategy com- 
position: [V \\ Q] = {C Xh C \ C e [P],C' e [Q] and h e H} for all 
specifications V and Q. 

Similarly, we can compare realisable strategies and define ^^ as a restric- 
tion of :< to realisable strategies. This gives rise to the implicit strategy 
closure operation T^'' and we define {V}^ = [V]^''. 
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(P) '■ > '■ >± (L) __1'__>._L 

(Q) '- ► _L (G) _ _ i? _ _,. T 

Figure 6: Distinguishing power of T. 

It is easy to verify |P]^ = |Q]^ implies V ~r Q, but the converse is not 
true. Thus, ~r is strictly coarser than | ■ ]^. 

Example. In Figure [61 assuming the alphabet is yl = {a}, we were able to 
distinguish P from Q using | ■ ]^, since strategy L is in {Q}^ but not in |P]^. 
On the other hand, P c:^r Q holds since it is impossible to construct an 
environment specification 7^ s.t. P || 7^ is T-free but Q || 7?. is not. 

The substitutive equivalence is due to the fact that the initial states of 
P and Q are both _L-winning states. A ±-winning state is as bad as the 
_L state since, once a specification reaches ±-winning states, no (realisable) 
environment can steer it away from ±. Thus, according to ^^ a component 



in ±-winning states is indistinguishable to one in the _L state, ^ This gives 
rise to the third source of implicit strategies, e.g. strategy L is an implicit 
strategy of Q. 

We can make such implicit strategies explicit by performing a further 
normalisation on V. 

Normalisation. The normalisation of a specification V, denoted V^ , is ob- 
tained by first determinising V and then collapsing all _L-winning states in 
V^ to ±. 

An interesting observation here is that normalisation based on ±-winning 
states can be reduced to normalisation based on semi-± and auto-±, since 
the latter are those ±-winning states which are precisely one-step away from 
_L. So we have an alternative local characterisation of normalisation. 

V^ may then be defined by J^-backpropagation, which repeatedly collapses 
semi-± and auto-_L states in V^ to _L, until semi-± and auto-_L freedom is 
obtained. 

Since realisable strategies are specifications, normalisation is also defined 
on realisable strategies. 



^^This is in contrast to unrealisable systems, where the environment can always distin- 
guish the _L state from the _L-winning states by stopping time immediately. For example, 
the unrealisable strategy G in Figure l6| can distinguish P from Q. 
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Lemma 3. Given any component strategy C and environment specification 
TZ, C\\7l is ±-free iff C^ \\ IZ is ±-free. 

The normalisation of a specification can be reduced to strategy normali- 
sation. For a set of realisable strategies F, the normalisation closure, denoted 
F"^, is the least ^^.-upward closed superset of F such that £ G F^ implies 



Lemma 4. Given any specification V , \P\r = F implies 1^^]^. = F^. 

As a shorthand, we use [P]„ to denote {\V]^Y ^^ I^^L- 

Theorem 2. Given two specifications V and Q, V ^r Q iff iQJn — P^ln- 

A specification V is inconsistent iff Sj, is a ±-winning state. Under nor- 
malisation, any inconsistent specification is reduced to the ±-TIOTS. For 
consistent specifications, normalisation yields a deterministic error-free spec- 
ification. 

4-2. Desiderata of the operators 

Before developing the operational definitions on conjunction, disjunction 
and quotient, let us first describe the desired effects for these operators to 
achieve. 

We say a set of realisable strategies F is a specification semantics iff 
F = (F^'')^. The domain of specification semantics combined with the C 
relation gives rise to a lattice, where conjunction (A) and disjunction (V) are 
supposed to correspond to the join and meet operators respectively]^ That 
is, conjunction yields the coarsest specification that is a refinement of its 
operands, while disjunction yields the finest specification that is refined by 
both of its operands. 

Definition 5. For any pair of specification semantics F and F' with identical 
alphabets, we define F A F' = F n F' arwi F V F' = ((F U F')^'')^. 



^■^The semantics normalisation operation preserves the disjunction closedness. 

^''As we write A Q B to mean A is refined by B, our operators A and V are reversed in 



comparison to the standard symbols for meet and join. 
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It is easy to verify F fl F' is a specification semantics. 

Quotient VqVoVi produces the coarsest specification V such that V \\ Vi 
is a refinement of Vq. In other words, if Vi is the plant and Vq is the overall 
system specification, then Vq%V\ synthesise the coarsest (or most permissive) 
controller that can steer the plant away from behaviours violating Vq. 

Mirror V^ gives the set of (realisable) environment strategies that can 
steer V away from ±. 

Definition 6. Given a specification semantics T , we define F" = {C^ \ 
\/CET,h&H:CxfiC^is ±-/ree}. Given two specification semantics F 
and V (with alphabets A' C A and O' C Q), we define T%T' = {C% | V£' G 
T',heH:C% x,£'gF}. 

It is easy to verify F" and F%F' as defined above give rise to specification 
semantics. 

5. Operational semantics 

In the last section we outlined the desiderata for the four operators. Con- 
junction and disjunction calculate the meet and join w.r.t. :<r, whilst mirror 
and quotient synthesise realisable controllers to steer components away from 
undesirable states/behaviours. In this section, we give the operational defini- 
tions to the operators that fulfill the desiderata. The key challenge here lies 
in understanding the interplay between synthesis games across specification 
boundary. 

We adopt a two-step approach here. Firstly we define the four operators 
for the restricted case when the operands are all normalised specifications. 
Since the synthesis game in a normalised specification has been pre-resolved, 
the operator definitions need only to utilise the process-algebraic technique 
of state-to-process lifting. The process-algebraic definitions may, however, 
generate a new realistion game under some operators, which, we show, is 
resolvable by a T-backpropagation procedure. 

Then we analyse and understand the composability of different games 
under different operators; and based on the knowledge we give the minimal 
extension to the process-algebraic definitions so that the extended operators 
indeed implement the desiderata for general specifications. 
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Table 2: State composition operators. 



5.1. Restricted case 

Like parallel composition we define conjunction, disjunction and quo- 
tient as variants of synchronised product, which operate over T/±-complete 
TIOTSs and are parameterised by a polymorphic state/alphabet composition 
operator. 

Table [2] tells us how states should be combined under the composition 
operators. Based on the refinement ordering on states, it is easy to see that 
state conjunction (A) and disjunction (V) operations in Table [2] follow the 
intuition of the join and meet operations (except for the case when both 
operands are plain states) and that the state quotient (%) operation is defin- 
able via the state parallel (||) and mirror (-i) operations: sq/si = {sq \\ si)". 

We say (/q, Oq) and (/i, Oi) are A- and \/-compo sable if (/q, Oq) = (/i, Oi), 
and are %-composahle if (/q, Oq) dominate (/i, Oi), i.e. Ai C Aq and Oi C 
Oq. Then, we can define the alphabet composition operations under the 
respective composability restriction: (/q, Oq) = (/q, Oq) A (/i, Oi), (/q, Oq) = 
(/o, Oq) V (/i, Oi) and (/q U Oi, Oq \ Oi) = (/q, Oo)%(/i, Oi). 

Remark. Note the subtlety in the transition rules of Vq Ha ^i ^^"^ "^o 11 v "^i- 
If we have pq — )■ j)q in Vq and j>i — )■ T in Pi , then we have Pq x pi ^ Pq in 
"PoIIa^i- That is, process Vi is discarded after the transition and the rest 
of the execution is the solo run of Vq. 

Like Yliiy the definition of Y[/\ can be extended without modification to 
work on ^-complete TIOTSs (cf Footnote 21). On specifications. Ha P^^" 



serves the T-freedom but not semi-T freedom. Thus V Ha 2 may contain 
semi-T and has to be converted to a specification. 

In contrast, the definitions of Y[\/ and Y[% do not extend to _L-complete 
TIOTSs. We have to perform T-completion on the operands. Then V^ Ylv ^ 
and V~^ n% 2^ produce a general TIOTS, which needs to be converted back 
to a realisable one. 
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The rationale here is that the Ylv^ Ha ^^^ 11% operators implement the 

desiderata using the | ■ ] semantics rather than the | ■ ]^ one. Thus, V Ha Q 
implements fV^j n |Q^] rather than {Vj^ n |Q]^. 

Example. Let V he a specification that waits exactly 3 time units before 
firing output a, while Q is a specification that waits silently forever. Both 
are characterised by their sets of realisable strategies. However, if V and Q 
are put into conjunction using Y[/\, then there is no realisable strategy in the 
intersection [P'''] fl IQ^J even though the intersection is non-empty. 

However, it is interesting to observe that [T'l^n |Q]^ = RG{lV^j n {Qj}) 
holds for normalised specifications V and Q, where the realisability filtering 
function RG{r) extracts the subset of realisable strategies from F. Thus, our 
conversion aims to implement the realisability filtering on top of TIOTSs. 

There are two cases for such a conversion. In the first case when the 
resultant TIOTS is free of auto-T and semi-T, ±-removal suffices to remove 
unrealisability. This is the case for V^ Ylv ^ since W^ preserves the auto-T 
and semi-T freedom on T/±-complete TIOTSs. 

In the second case when the resultant TIOTS contains auto-T and semi-T 
(the case for V Ha 2 ^^"^ ^^ 11% Q^)i ^^ need a more sophisticated proce- 
dure for unrealisability removal. Let us start with a deeper analysis of auto-T 
and semi-T. 

Auto-T and semi-T as T -winning states. Like auto-_L and semi-_L, it is best 
to understand auto-T and semi-T in terms of perfect-information games (as 
determinisation does not preserve auto-T and semi-T). 

In a perfect-information game V^ , a key observation is that a plain state 
p is an auto-T or semi-T implies no strategy starting from p is realisable. 

For instance, if p is an auto-T, p has an input transition going to T. 
Then all strategies starting from p have to unfold that input transition (due 
to determinism) and thus are unrealisable. 

If p is, on the other hand, a semi-T, any strategy starting from p, if 
realisable, has to make a delay move at p (since all output moves lead to T 
due to the semi-T). However, according to our strategy definition, after the 
delay move, which has to be finite, the strategy will have to make an output 
move, which unavoidably leads to T. 

Auto-T and semi-T characterise only a subclass of those plain states from 
which there is no realisable strategy. The characterisation of the full class 
requires, surprisingly, a dual game of the _L-reachability game. 
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Given a perfect-information game V^ in which the collaboration of the 
environment and coin play against the component for the objective of T- 
reachability, we say a (realisable) environment strategy Ce and a coin strat- 
egy /i G i/ is winning in game V (or winning against strategy set \P]) iff 
J^E ^hQ can reach T for all Q E \P]. Then we say a plain state p in V^ is 
T -winning iff there is a pair of (realisable) environment and coin strategies 
winning in game V^{p). 

Remark. Note that T- and ±- winning states are dual to each other, and it is 
possible that a state in a TIOTS is ±-winning and T-winning simultaneously. 
However, the theory in this paper uses only a restricted class of TIOTSs, in 
which it is impossible to be simultaneously ±-winning and T-winning. 

It is easy to verify that semi-T and auto-T are both T-winning states 
and that the absence of semi-T and auto-T implies the absence of T-winning 

states. 

Lemma 5. A TIOTS is free of T-winning states iff it is free of semi-T and 
auto-T . 

Based on T-winning states, we can derive a procedure (dual to normali- 
sation) to filter out unrealisable strategies for any TIOTS. 

Extracting realisable strategies (realisation). Given a T/_L-complete TIOTS 
V, using a three-step procedure we can extract the realisable subsystem V^ of 
V (called the realisation oiV). V^ contains precisely the realisable strategies 
in [P], i.e. lVX = RGilVj). 

The first step determinises V and makes all strategies explicit. Then the 
second step find and replace with T all the T-winning states in V^ . Finally 
the last step performs a T-removal on the resultant TIOTS (if it is not already 
the T-TIOTS). 

T -backpropagation. The alternative localised approach to generating V^, 
called T -backpropagation, repeatedly collapses semi-T and auto-T states in 
V^ to T until semi-T and auto-T freedom is obtained. 

Hence, V^ produces either the unrealisable specification (i.e. the T- 
TIOTS) or a (deterministic) specification. If we define ["P^]^ = {} for the 
unrealisable specification, then we have the lemma below. 

Lemma 6. For a T / T- complete TIOTS V , RGilV]) = {V^^. 
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Operator definitions. Given normalised specifications V and Q, we define 
P V Q to be the T-removal of V^ Hv 2^ ^nd define V AQ = (VUaQ)^ 
and V%Q = ('^"''11% Q^)^- The mirror operation, V^, can be defined as 
performing an I/O switch operation on V^ , i.e. V^ is the T-removal of 
(V^)^ . The I/O switch operation Q-^ interchanges the input and output 
sets, as well as the T and T states on T/T-completed Q. 

Based on the mirror operator, we can give an alternative definition of 
quotient as the derived operator (Vq \\ Vi)~" . This is a lifting of the derivation 
of quotient from mirror and parallel on the state level. 

Finally, we can verify that the above operator definitions implement the 
desiderata. 

Theorem 3. Given a pair of ®-composahle normalised specification V and 
Q with ® e {A, V, %}, we have [P ® QL = [^L ® [QL and [P^L = |P];;. 

5.2. General case 

For the general case when the specifications are not normalised, there is a 
naively correct definitions by the application of a three-step recipe. We start 
with normalisation, go on with applying the corresponding Y[(g, operators, 
and finish with realisation. 

However, this approach sheds little light on understanding the compos- 
ability of synthesis games under the set of operators and may potentially 
introduce unnecessary cumbersome steps in the operator definitions. For in- 
stance, II is defined above without any need of normalisation or realisation. 
We can verify the natural definition is equivalent to the three-step recipe 
definition. 

Lemma 7. Given specifications V and Q, V \\ Q gives rise to a specification 
realisably equivalent to ((^^)^ ni|(2^)^)^- 

The proof of the above lemma is based on the composability of normalisa- 
tion games under the parallel operator, i.e. the distributivity of normalisation 
operation over parallel composition. 

Lemma 8. {V \\ Q)^ = V^ \\ Q^ and {V \\ Q)^ = (V^ \\ Q^Y . 
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Lemma 9. Given specifications V and Q, for any product state p x q in 
V^ II Q^ , p (or q) is a ^--winning state in V^ (or Q^ ) implies p x q is a 
^--winning state in V^ || Q^ . 

Then we can formally show that || -composition implements strategy com- 
position. 

Proposition 2. For any pair of \\-composable specification V and Q, we 

have IV II Ql„ = (IP1„ x [QlJ^. 

Disjunction. Like the parallel operator ||, disjunction V is also (nearly) a 
natural operator to define. 

Lemma 10. Given specifications V and Q, WQ gives rise to a specification 
realisably equivalent to {(V^)~^ Y[v(Q^)~^)^ ■ 

The proof of the above lemma is based on the composability of normali- 
sation games under disjunction. 

Lemma 11. {V V Q)^ =V^y Q^ and {V V Q)^ = {V" V Q^)^ . 

Lemma 12. Given specifications V and Q, for any product state p x q in 
V^ V Q^ , p (or q) is a ^-winning state in V^ (or Q^ ) implies p x q is a 
A--winning state in V^ V Q^ . 

The natural definitions will also work for hiding and renaming since like 
Y[ii and Yly they do not generate new T- winning states, although they do 
generate new ±-winning states. 

However, for conjunction A and quotient %, natural definitions do not 
work. This is due to the subtle interferences the composition imposed on the 
T- and _L- winning states in their operands. 

Example. In Figure [7} we have two specifications V and Q. Q is normalised 
while V is not. Normalisation will reduce V to the ±-TIOTS (simply de- 



noted ±). It is easy to see that V Ha 2 i*^^ Appendix A) produces the third 
specification, which is a normalised specification, rather than the ±-TIOTS 
(according to -L Ha 2 = -L)- This is due to the fact that with conjunc- 
tion composition the ±-winning states at location A oi V are interfered and 
annulled by the urgency requirement on output e at location 1 of Q. Simi- 



larly, V n% Q (cf Appendix A ) produces the fourth specification, which is 



a normalised specification, rather than the ±-TIOTS. 
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Figure 7: Inter-componcnt interference on winning states. 

Conjunction. Technically speaking, conjunction will cause interferences on 
the ±-winning states of its operands, which leads to the non-distributivity of 
normalisation over Y[/\, i-e. {V Y[/\ Q)^ = ("^^ Ha Q^)^ does not necessarily 
hold. Conjunction will not cause interferences on the T-winning states of its 
operands though. This, combined with the distributivity of determinisation 
over Y[/\, gives rise to distributivity of realisation over Y[/\- 

Lemma 13. Given two T /J^-complete TIOTSs V and Q, we have ("PHa 
Q)D = pD Yl^ QD ^^^ ((pi?)T n^(Q^)T)fl = (p Yl^ g)i?. 

Furthermore Y[/\ preserves the freedom of ±-winning states but not the 
freedom of T-winning states. 

Lemma 14. Given two T /J^-complete TIOTSs V and Q, V^ and Q^ are 
free of J^-winning states implies V^ YIa Q^ ^'^ f''"^^ ^/ -L-winning states. For 
any product state p x q in V^ Ha 2^; V (or q) is a T-winning state in V^ 
(or Q^ ) implies p x q is a T-winning state in V^ YIa 2^- 

Hence, we use the three-step recipe to define conjunction. Given specifi- 



cations V and Q, we define V f\Q = {(V^)~^ Y[a(Q^)^)^- Lemma 14 implies 
that P A Q is a normalised specification. 

For mirror and quotient, we use only part of the three-step recipe, since 
some transformations in the recipe are not essential for interference cancel- 
lation. 

Mirror. The mirror of a specification V, denoted P", is defined by equation 
V^ = {{{V^)^)^)^- That is, no normalisation is needed on the operand. 
This is because the I/O switch operation 7^^ (as defined in Section [s]), rather 
than causing interferences on T- and X- winning states in 7?., only causes a 

36 



switch between the two types of winning states. Thus, V^ is equivalent to 
the three-step recipe definition, i.e. the T-removal of {{V^Y)'^ . Since V as 
a specification is free of auto-T and semi-T, V^ gives rise to a specification 
that is free of auto-_L and semi-±, i.e. a normahsed specification. 

Lemma 15. Given any specification V , V^ is a normalised specification re- 
alisably equivalent to the T-removal of {{'P^)'^)"^). 

The lemma below is very useful, since it shows how mirror can reduce 
the problem of refinement checking between two open systems to a non- 
reachability problem on a closed system. 

Proposition 3. For any specification V and Q, V ^r Q iff 'P^ \\ Q is 

T-free. 

Quotient. Given specifications V and Q, we define V%Q = {(V^)^ Y[%iQ^V 
The crucial point here is that we do not need to normalise Q (i.e. the plant 
in the controller synthesis framework). The definition can be shown to be 
consistent with the one using the three-step recipe. 



Lemma 16. Given any specification V and Q, V%Q is a normalised sped- 



fication realisably equivalent to {{V^)'^ Y[%iQ^)'^)^ 



The proof of the above lemma is based on the composability of an order 
pair of normalisation and realisation games under quotient. 

Lemma 17. Given two deterministic T / T- complete TIOTSs V and Q, V is 
free of T-winning states and Q free of T -winning states implies 1) V Y\% Q 
is free of -L-winning states, 2) {'P^Y[% Q^)^ = ("^11% 2)^ '^'^'^ "^^ ■^^'^ '^''^y 
product state p x q in 'PY[% Q, P is a T -winning state in V or q is a 
L-winning state in Q implies p x q is a T -winning state in VY\% Q- 

We can verify that VqYoVi gives rise to a normalised specification realis- 
ably equivalent to {Vq || Vi)~" . 
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Figure 8: Generation and removal of T-winning states. 

Example. We give an example to show how Y[% can generate new T-winning 
states and how reahsation can remove them. In Figure [8| V and Q are both 
normahsed specifications. At location A, V can choose either (behaviour A) 
to output / during the time window to 2 or (behaviour B) to wait for input 
e until time 5, at which point, if the environment fails to supply e, timeout 
will occur. On the other hand, at location 1, Q can choose (behaviour C) 
either to wait for input / during time window to 2 or (behaviour D) to wait 
for input e until time 3, at which point, if the environment fails to supply e, 
timeout will occur. Obviously behaviour A should be matched to behaviour 
C and behaviour B to D. However, the timeout bound of behaviour D is 
stronger than that of B. Since it is impossible to weaken one component's 
input assumption by composing it with another component which has to 
treat the action either as input or as outside the alphabet, matching D to B 
generate an unrealisable behaviour in the pre-quotient V Y[% Qi which can 
be removed by the realisation. 

Finally, we can formally show that the operator definitions implement the 
desiderata. 

Theorem 4. Given a pair of ®- compos able specification V and Q with G 
{A,V,%}, we have fV ® Qj,, = I^L ® [QL «^^ I^ln = I^E- 

Based on the above theorem we can prove the congruence result. 

Theorem 5. ^r is a congruence w.r.t. \\, V, A and %, subject to compos- 
ability. 



Double trace semantics. In addition to the timed strategy semantics, Ap 



pendix B also gives a double trace semantics like that in our earlier work [TU] . 
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Timed synthesis. Our formulation of timed synthesis games (realisation or 
normalisation) recognises three players in the game, i.e. coin, component 
and environment. On an abstract level, the two games actually belong to 
the same class, in which two players with reachability objective collaborate 
and play against the third with safety objective. Such a game has the nice 
properties that it is determined and winning strategies are memoryless. (For 
this paper we only consider the winning states for the two-player side.) 

Our T- and _L- backpropagations share similarities with the classical al- 
gorithms of timed synthesis games [H [7]. Both implement some form of 
backward fix-point computations of winning states; both can be adapted 
into efficient on-the-fly algorithms [7|. 

However, there are some important differences. Our auto-_L and semi-_L 
states are related to but not equivalent to the controllable predecessors of _L 
in |7]. For example, an auto-_L state will not be a controllable predecessor of 
_L if it has an input outgoing transition leading to a plain state. Thus, our T- 
and _L- backpropagations are strictly more aggressive than the classic algo- 
rithms in classifying winning states, since the latter cannot back-propagate 
through auto-_L. This is crucial for our weakest congruence results. 

Another advantage of the three-player formulation is that the composition 
of the three strategies generates a run for closed systems or a strategy for open 
systems, thus giving rise naturally to the strategy semantics. In contrast, the 
composition of the two strategies in [7] does not generate a run or strategy 
for the composed system. 

Finally, with three-player formulation, we can clarify the reducibility of a 
timed non-reachability (i.e. safety) game to a timed reachability game. For 
the two-player formulation it seems such reduction is possible by exchanging 
the role of the system and environment and complementing the target state 
set [7]. However, this is not true according to the three-player formulation 
since a game of two players with reachability objective and one player with 
safety objective cannot be reduced to a game of two players with safety 
objective and one player with reachability objective. 

Compositional timed synthesis. Since a specification may involve both re- 
alisation and normalisation. The composition of specifications involves the 
composition of synthesis games. We now understand that 1) normalisation 
games are composable under parallel and disjunction, 2) realisation games 
are composable under conjunction and 3) an ordered pair of realisation and 
normalisation games are composable under quotient. 
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Job Buffer 



Print Server 




Figure 9: Specifications for a print server, job buffer and printer. 



For instance, our Lemma 14 implies {{V ) YlAiQ ) ) — ("^IIa 2) 



which essentially gives us a compositional method to synthesise timed pro- 
cesses (cf [16] for the compositional process synthesis of the untimed case). 
Based on such knowledge, when composing specifications by operator ®, 
we now understand that only the synthesis games composable under ® in 
the specifications should be composed. The incomposable ones should be 
removed by performing realisation or normalisation in advance. 



6. A Printing Example 

To illustrate our theory, we consider a simple printing system. Figure [9] 
shows specifications of three components in the system: a print server, job 
buffer and printer. Intuitively, the print server decides when to initiate -print 
a document, after which it stores the job on the buffer. When the printer is 
told to wakeup, it will collect the job from the buffer, and, after printing it, 
confirm to the print server that the job has been printed. The invariants, co- 
invariants and guards place constraints on when actions may and must occur. 
For example, once the printer has been told to wakeup, it must collect a job 
at least Is, although no more than 2s, later and the document must have 
been printed within 10s, in order to satisfy the invariants. After the job 
buffer has been told to store a job, the co-invariant requires that the job is 
collected within 10s. For the print server, after deciding to initiate^print, 
the job must be stored exactly 2s later (imposed by the invariant and guard 
on state 2), and requires that the job must have printed within 10s (imposed 
by the co-invariant on state 3). 

The three components can be composed under parallel. However, they 
will not work together without external coordination. For example, the 
wakeup input to the printer is not supplied by any of the other two compo- 
nents. Thus, we need a scheduler which can connect the three components 
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Printer | | Job Buffer | | Print Server 



After \bot-backpropagation and \bot- removal 
printed! 




Figure 10: Parallel composition of the print server, job buffer and printer, and _L- 
backpropagation. 



together and produce the wakeup at the right time. The clever bit here hes 
in the synthesis of the scheduler strategies such that the printer is not told 
to wakeup too early or too late. 

Basically, we synthesise the scheduler by calculating the least refined en- 
vironment such that the three can work together without violating any of 
their timing constarints: {Printer \\ Job-Buffer \\ Print S erv er)^ . 



The left-hand side of Figure 10 shows the parallel composition of the three 
components in Figure [9I i.e. System = Printer \\ Job^Buffer \\ Print^Server, 
which is essentially the synchronised product of the specifications by taking 
the conjunction of invariants, co-invariants and guards. The _L-state is reach- 
able due to non-input enabledness of the collect transition in the job buffer 
(the printer collects the job too early or too late). 

To perform mirroring on System, it must first be normalised. We imple- 
ment the normalisation by a _L-backpropagation followed by ±-removal on 
System ^^ On the right-hand side of Figure 10, we show the resultant TIOA 
after the two transformations. 

Since the output transition collect at location AIS leads to ±, those 
states associated with location ^15" on which collect is enabled will be auto- 
_L states. Collapsing them to _L is equivalent to strengthening the co-invariant 
on AIS to keep only those states on which collect is not enabled. Thus the 



^^_L-removal is not strictly necessary for mirroring, but it simplifies the result for better 
readability. 
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CO- invariant is changed to 2 < 1, 



26 



After the change, however, the invariant at AlS becomes redundant. 
Thus all the remaining states associated with AlS become semi-± states 
since there is no outgoing input transition at AlS. Thus, location AlS 
can completely collapse to _L, culminating in the removal of its associated 
transitions (indicated by dotted lines). 

For location A2S, similarly its co-invariant can be changed to 2: < 1 due 
to the auto-_L caused by its collect transition. But the new co-invariant will 
not make its invariant completely redundant. Instead, it is only when the 
co-invariant can reach its upper bound before the invariant reaches its (i.e. 
when y — z <= 2 — 1) that the states at location A2S becomes semi-±. 
Thus, the co-invariant needs to be changed to y — z > iSzz < 1. Then we 
can perform ±-removal on the incoming makeup transition by removing the 
wakeup transition whose firing will make y — z <= 1 true. Thus, the guard 
y > 1 is added to the wakeup transition. 

Similarly, location B3S has semi-± ii y — z > 10 — 2. Thus its co- 
invariant needs to be changed to y — z <= 8&y <= 10 and its incoming 
wakeup transition needs to be strengthened with the guard y <= 8. 

After the two transformations, we need to perform the mirror operation 
on the resultant TIOA by exchanging input with output and invariant with 
CO- invariant. Then the final TIOA will be our synthesised scheduler. Due 
to the synthesis procedure, infeasible strategies, such as issuing wakeup be- 
fore receiving initial^print or issuing wakeup after receiving initial^print but 
before clock y reaching Is, are automatically eliminated. 

7. Comparison with Related Work 

Our framework can be seen as a linear-time alternative to the timed 
specification theories of [H] and [H] , albeit with significant differences. The 
specification theory in [TT] also introduces parallel, conjunction and quotient, 
but uses timed alternating simulation as refinement, which does not admit 
the weakest precongruence (cf P and Q in Figure [s]). An advantage of [11] is 
the algorithmic efficiency of branching-time simulation checking and imple- 
mentation reported in [12j. 



^^Note that we use shaded areas in the right-hand side of Figure 10 to mark the guards 
and invariants/co-invariants changed by the transformations. 
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The work of [H] on timed games shares significantly more conceptual 
and technical similarities with us, although they do not define refinement, 
conjunction and quotient. We adopt most of the game rules in [13], except 
that, due to our requirement that proposed delay moves are maximal delays 
allowed by a strategy, a play cannot have consecutive delay moves. 

This enables us to avoid the complexity of an infinite play (i.e. infinite 



sequence of moves) generating a finite trace (cf Section 2.2 for the definition 
of finite traces). So infinite plays generate only divergent traces (cf the non- 
zenoness assumption). To completely eliminate time-blocking strategies, we 
only need to tackle the remaining case that finite plays end in timestop or 
timelock, which can be nicely solved using the realisation game. Thus the 
need for blame assignment is removed. 

Secondly, we do not use timelock (i.e. semi-T) to model time errors (i.e. 
bounded- hveness errors). Rather, we introduce the explicit inconsistent state 
_L to model both time and immediate (i.e. safety) errors. This enables us to 
avoid the complexity of having two transition relations and well-formedness 
of timed interfaces. 

Similar to our work, \TT] uses semi-T to model timelock (so-called im- 
mediate errors in QjJ). However, the pruning of timelocks is based on the 
synthesis game of [7]. Therefore, they cannot remove auto-T and the pruning 
is strictly less aggressive. 

Furthermore, incompatibility errors (so-called strictly undesirable states 
in fn\) are not in the core of the theory for [Hj. They are more 'model- 
related errors' defined by the users, which are treated as plain states by the 
definition of operators and refinement. So it is unclear (e.g. for conjunction 
and qotient) what the product state will be if one component is in strictly 
undesirable states. 

This is in contrast to our theory, where the definition of the four operators, 
substitutive refinement relations, and determinisation procedure are all based 
on the manipulation of T and _L; and the algebraic properties from state 
composition operators can be lifted to the process level. 

More specifically, some further technical points of comparison with [TTlfT^ 
are: 

• Determinism,: We can handle non-deterministic timed transition sys- 
tems thanks to our modified determinisation procedure while [HI [H] 
consider only deterministic timed transition system. That is where a 
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linear time theory have advantages. It is not obvious how such exten- 
sion can work if the refinement is timed alternating simulation. 

• AG reasoning: A specification in [TT] is an input-enabled TIOA/TIOTS 
without ± or co-invariants. Thus a specification contains no assump- 
tions on the environment before users mark out strictly undesirable 
states. It is not a fully assume-guarantee specification theory in the 
sense that a specification (or interface) combines and mixes assump- 
tions and guarantees in a unified way. 

• Implementation and strategy: A specification in [llj can be interpreted 
as a set of implementations while our timed strategy semantics inter- 
prets a specification as a set of strategies. There is some similarity. 
However, the major differences are: 

— Strategies are tree-like partial unfoldings of original transition sys- 
tem while implementation are (potentially cyclic) transition sys- 
tems alternating simulating the original system. 

— We have implicit strategies which can be neither partial unfoldings 
nor alternating simulation of the original systems. 

— Strategies are based on game theory and use game rules like those 
in [13]. However, implementation is less closely related to game 
theory. 

In comparison with the untimed specification theories ^, our timed ex- 
tension requires new techniques (e.g. those related to timestop) to handle 
delay transitions since time can be modelled neither as input nor as out- 
put. Timestop enables us to discover the surprisingly simple and robust 
notions like semi-T/_L and T/±-backpropagation, whose definitions indicate 
the canonicity of the notions. Furthermore, with the assistance of time, 
bounded liveness in terms of clock bounds suffices to specify and verify most 
liveness-related properties. Bounded liveness is especially simple and natural 
to use and work with in timed models since invariant/co-invariant and finite 
traces suffice to capture. In contrast, in the untimed world, bounded liveness 
is cumbersome to specify and work with; people in most cases have to resort 
to infinite traces to treat liveness properly. 

Finally, we remark that our linear-time specification theory owes much to 
the pioneering work on trace theories for asynchronous circuit verification, 
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such as Dill's trace theory [TJ]. It is from this community that we take 
inspiration for the timed extension of mirror and the derivation of quotient 



from mirroi^ In some sense, this work can be regarded as a combination 
of this line of work with another line of work to which Dill has also made 
the seminal contribution, timed automata. It is highly satisfying to see the 
synergy between the two lines of works, as indicated by the results in this 
work. 

We briefly mention other related works, which include timed modal tran- 
sition systems [5l [8] , the timed I/O model [171 H] and embedded systems [221 



8. Conclusion and Future Work 

We have devised a fully compositional specification theory for realisable 
components with real-time constraints. The linear-time theory enjoys strong 
algebraic properties, supports a full set of composition operators, and ad- 
mits the weakest substitutive pre-congruence preserving safety and bounded- 
liveness error freedom. The framework can be seen as an alternative to, 
or refinement of, the timed theories of [HI [H]. Future work will consider 
assume-guarantee reasoning for timed systems, as well as the implementa- 
tion of our theory. The latter, we believe, can benefit from the timed-game 
based algorithms and results from pTj . 

Acknowledgments. The authors are supported by EU FP7 project CON- 
NECT, ERC Advanced Grant VERIWARE and EPSRC project EP/F001096. 

Appendix A. Composing TIOA 

We use ® to range over the operator set {||, V, A, %}, and use / and n to 
range over the set of locations (i.e. L). 

We say a TIOA, V = {C, I, O, L, n°, AT, Inv, colnv), is T-completed iff, 
for all a G O and I E L, we have Vlfl'fc I ^ ''> /[ G T} = true. Note 

that, unlike the definition for TIOTSs, TIOAs do not require T-completion 
on delay transitions. We say V is _L-completed iff, for all a G / and / G L, 
we have Vlfl'fc I ' ^ n^ ^ -f I = true. 

^^The mirror-based definition of quotient (for the untimed case) was first presented by 
VerlioefF as his Factorisation Theorem [23] . 
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Given two (8)-composable T/X-completed TIOAs with disjoint clocks (Cofl 
Ci = {}), Vi = {Ct,Ii, Oi,Li,n^,ATi,InVi,coInVi) for i e {0,1}, their syn- 
chronised product gives rise to another TIOA V = Vo H® "^i- 

• C = Co U Ci, (/, 0) = (/o, Oo) ® (/i, Oi) and L = Lo x Li; 

• n° = riQ X n^] 

• AT is the least relation that contains ATq, ATi and {Iq x li ^^-^ h- 

rig X n^^ I Iq y Hq e ATq A k )■ n^ G ^Jij 

U {4, X /i ^^^^^^ n^ X /i I /o ^^^^^^ n^ G ^Tq, a G (^ \ ^i)} 
U {4, X /i ^i^^^^ 4) X < I /i ^^i^^^^ < G ATi, a G (^ \ ^)}}; 

• and (//^^(/o X k), colnv{lo x li)) = {Invo{lo), colnvo{lo))®{lnvi{li), coInvi{li)). 
We define the ® invariant/co-invariant composition operation as follows: 

• {InvQ, colnvo) \\ {Invi, colnvi) = {Invo A Invi, colnvo A colnvi) 

• {InvQ, coIuvq) a {Invi, colnvi) = {Invo A Invi, coIuvq V colnvi) 

• {InvQ, coIuvq) V {Invi, colnvi) = {Iuvq V Invi, coIuvq A colnvi) 

• {InvQ, colnvo)%{lnvi, colnvi) = {Invo A colnvi, coInvQ A /nwi) 

Note that in the above definition we exploit the fact that the addition or 
removal of /a/se-guarded transitions to ^47 will not change the semantics of 
the automata. 

Strongly non-zeno TAs are known to be determinisable. For instance, 
[6] gives a symbolic procedure based on game and region construction. We 
can easily modify the procedure to implement the TIOTS determinisation 
defined in Section 2, giving rise to the new procedure DET{V) on TIOA V. 

On deterministic TIOAs, we can implement both T- and ±- backpropaga- 
tion procedures by fixpoint calculation on top of constraint backpropagation, 
denoted as BP{V, T) and BP{V, ±) resp. 

With such transformations on TIOAs, all the operators in theory I and 
II become definable on TIOAs from the ]^„ operators on TIOAs. 
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Appendix B. Declarative Theory of Contracts 

We now present a timed-trace characterisation of our compositional speci- 
fication theory. For this purpose we adopt the contract framework promoted 
in [3], which has the advantage of explicitly separating assumptions from 
guarantees. 

Given any TIOTS V = {I, O, S, s°, — )■), three sets of traces can be ex- 
tracted from {{V^y)^: 

• TP a set of timed traces leading to plain states 

• TE a set of timed traces leading to the error state _L 

• TM a set of timed traces leading to the magic state T. 

TE and TM are extension-closed due to the chaotic nature of T and _L, while 
TP is prefix-closed. Since TE U TP U TM is the full set of timed traces (i.e. 
M*), we need only two of the trace sets to characterise V. 

In the system-environment interaction (as explained in our timed game 
framework) , TE is the set of behaviours which the environment tries to steer 
the interaction away from, whereas TM is the set of behaviours which the 
component tries to steer away from. Thus, TE characterises the assump- 
tions required on the environment while TM characterising the guarantees 
provided by the system. 

A contract based on TE and TM defines the semantics of P, character- 
ising the congruence ~ [lOj . 

Definition 7 (Contract). A contract is a tuple [I, 0,AS, GR), where AS 
and GR are two disjoint extension-closed trace sets. The contract of V is 
defined as TT{V) := (/, O, TE, TM). 



When P is a specification (including the unrealisable specification^^), GR 
in TT{V) is I-receptive. We say a trace set TT is I-receptive iff, for each 
tt e TT, we have 1) tt ^ (e) e TT for all e G / and 2) tt "" {d) ^ TT for 
some d G M^° implies there exists w G tO* s.t. tt "^ w E TT and l{w) < d. 

When P is a normalised specification (including the inconsistent specifi- 
cation^^), we have furthermore that AS in TT{V) is 0-receptive. We say a 



^^When V is the unrealisable specification, i.e. the T-TIOTS, GR is empty. 
^^When V is the inconsistent specification, i.e. the _L-TIOTS, AS is empty. 
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trace set TT is 0-receptive iff, for each tt G TT, we have 1) tt ^ (e) G TT 
for all e G and 2) tt ^ (d) ^ TT for some d G ]R^° implies there exists 
w G i/* s.t. tt^ vj e TT and /(w) < d. 

Given a TIOTS P, the realisation of V, i.e. V^, can be implemented by 
T-backpropagation on contracts: 

Definition 8 (Realisation). Given a contract {I, 0, AS, GR), we define 
(/, O, AS, GR)^ = {I, O, AS\GR^, GR^), where GR^ is the least extension- 
closed superset of GR s.t. no tt G tA* is an auto-T or semi-T w.r.t. GR^. 

We say a trace tt G tA* is an auto-T w.r.t. TT iff tt ^ TT and tf^ (e) G 
TT for some e G /. A trace tt G M* is an semi-T w.r.t. TT iff tt ^ TT 
and there exists some d G M^" s.t. tt ^ (c?) G TT and tt ^ (do, e) G TT 
for all < do < d and e G 0. It is easy to verify GR^ is I- receptive and 

Given a specification V, the normalisation of V, i.e. P-^, can be also 
implemented by _L-backpropagation on contracts: 

Definition 9 (Normalisation). Given a contract {I, O, AS, GR) with I- 
receptive 'GR, we define (/, 0, AS, GR)^ = (/, 0, AS^, GR \ AS^), where 
AS^ is the least extension-closed superset of AS s.t. no tt G tA* is an auto-T 
or semi-T w.r.t. AS^ . 

A trace tt G tA* is an auto-T w.r.t. TT iff tf^ (e) G TT for some e E O. 
A trace tt G tA* is a semi-T iff there exists some d G M^" s.t. tf^ (d) G TT 
and tt ^ (c^, e) G TT for all < d^ < d and e G /. It is easy to verify that 
AS^ is 0-receptive and TT{Vf = TT{V^). 

A coarsening of contracts gives a characterisation of ~r, which says P is 
an refinement of Q iff P has less assumption and more guarantee than Q. 

Definition 10 (Realisable contract). A contract (/, 0,AS, GR) is a re- 
alisable contract iff AS is 0-receptive and GR is I-receptive. The realisable 
contract of a specification V is defined as CTiV) := TTiV) . 

Theorem 6. For specifications Vq andVi with realisable contracts (/, O, ASq, 
GRq) and (/, O, ASi, GRi) respectively, Vq ^r Vi iff A Si C ASq and GRq C 
GRi. 
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Given two specifications Vi for i G {0, 1} and i = 1 — i s.t. CT{Vi) = 
(/, O, ASi, GRi), we define the parallel, disjunction, conjunction and quotient 
operations on realisable contracts. The core part of the operations is based 
on the patterns originally discovered by [151 [21]. The specialisation required 
for the timed theory to work lies in the application of closure conditions like 
normalisation and realisation. 

We first define the alphabet enlargement operation on realisable contracts 
before carrying on defining the major operators. 

Alphabet enlargement. Given a set A of actions disjoint from /U O, we define 
(/, O, AS, GR)^ := (/ U A, O, AS"^, GR^), where TT^ := {tt : {tA U A)* | 
tt \ tAe TT}- (MU A)*. 

Parallel composition and disjunction. 

Proposition 4. If specifications Vq andVi are \\- compos able, thenCTiVo || Vi) 
(/, O, iAS^° U AS^') \ {GR^' U GR^'), GR^" U GR^')^ , where / = (/q U 
/i) \0, = OqU Oi, Ao = Ai\ Ao and Ai = ^o \ ^i- 

Intuitively, the above says that the guarantee of the parallel composition 
is the combined guarantees provided by the components while the assumption 
of the parallel composition is the combined assumptions of the components 
minus those that have been fulfilled by their guarantees. 

Proposition 5. If specifications Vq andVi areM -composable, thenCT(Vo\/ Vi] 
(/, 0, ^5*0 U ASu GRo n GRi)^, where I = I^ = h and O = Oo = d. 

That is, disjunction unions assumptions and intersects guarantees. 

Gonjunction and quotient. 

Proposition 6. IfV^ and Vi are A-composable, then CTiVo A Vi) = (/, O, 
ASo n ASi, GRo U GRi)^, where I = I^ = h and = Oq = d. 

Proposition 7. If specification Vq dominates specification Vi, thenCT{Vo%Vi] 
(/, 0,ASo U GR^\ {GRo \ GR^') U {AS^' \ ASo))^, where I = k U d, 
= Oo\0i and Ai = Ao\ Ai. 

Intuitively the above says that the quotient assumes the Po-assumption 
combined with the Pi-guarantee and it guarantees 1) the Po-guarantee not 
covered by Pi-guarantee as well as 2) the "Pi-assumption missing from Vo- 
assumption. 
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Mirror. The operation is straightforward, which simply exchanges assump- 
tion and guarantee. 

Proposition 8. CT{V^) = {0,1, GR,AS). 

Contract. The terminology of contract was coined by Meyer and Back. The 
meta-theory of contract dates back to the trace theory of [15], esp. one of 
its abstract reformulation by ^J\. Both work draws upon earlier ideas from 
asynchronous circuit verification. 
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